diff --git a/builtin/providers/aws/resource_aws_iam_role.go b/builtin/providers/aws/resource_aws_iam_role.go index 3833ea278..f79b5a360 100644 --- a/builtin/providers/aws/resource_aws_iam_role.go +++ b/builtin/providers/aws/resource_aws_iam_role.go @@ -82,6 +82,11 @@ func resourceAwsIamRole() *schema.Resource { ForceNew: true, }, + "description": { + Type: schema.TypeString, + Optional: true, + }, + "assume_role_policy": { Type: schema.TypeString, Required: true, @@ -115,6 +120,10 @@ func resourceAwsIamRoleCreate(d *schema.ResourceData, meta interface{}) error { AssumeRolePolicyDocument: aws.String(d.Get("assume_role_policy").(string)), } + if v, ok := d.GetOk("description"); ok { + request.Description = aws.String(v.(string)) + } + var createResp *iam.CreateRoleOutput err := resource.Retry(30*time.Second, func() *resource.RetryError { var err error @@ -168,6 +177,20 @@ func resourceAwsIamRoleUpdate(d *schema.ResourceData, meta interface{}) error { } } + if d.HasChange("description") { + roleDescriptionInput := &iam.UpdateRoleDescriptionInput{ + RoleName: aws.String(d.Id()), + Description: aws.String(d.Get("description").(string)), + } + _, err := iamconn.UpdateRoleDescription(roleDescriptionInput) + if err != nil { + if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" { + d.SetId("") + return nil + } + return fmt.Errorf("Error Updating IAM Role (%s) Description: %s", d.Id(), err) + } + } return nil } @@ -189,6 +212,13 @@ func resourceAwsIamRoleReadResult(d *schema.ResourceData, role *iam.Role) error return err } + if role.Description != nil { + // the description isn't present in the response to CreateRole. + if err := d.Set("description", role.Description); err != nil { + return err + } + } + assumRolePolicy, err := url.QueryUnescape(*role.AssumeRolePolicyDocument) if err != nil { return err diff --git a/builtin/providers/aws/resource_aws_iam_role_test.go b/builtin/providers/aws/resource_aws_iam_role_test.go index 22ffa8ec3..b6a3eb293 100644 --- a/builtin/providers/aws/resource_aws_iam_role_test.go +++ b/builtin/providers/aws/resource_aws_iam_role_test.go @@ -178,6 +178,10 @@ func testAccCheckAWSRoleAttributes(role *iam.GetRoleOutput) resource.TestCheckFu if *role.Role.Path != "/" { return fmt.Errorf("Bad path: %s", *role.Role.Path) } + + if *role.Role.Description != "Test Role" { + return fmt.Errorf("Bad description: %s", *role.Role.Description) + } return nil } } @@ -186,6 +190,7 @@ const testAccAWSRoleConfig = ` resource "aws_iam_role" "role" { name = "test-role" path = "/" + description = "Test Role" assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}" } ` diff --git a/website/source/docs/providers/aws/r/iam_role.html.markdown b/website/source/docs/providers/aws/r/iam_role.html.markdown index ecba4be52..ad8b983d3 100644 --- a/website/source/docs/providers/aws/r/iam_role.html.markdown +++ b/website/source/docs/providers/aws/r/iam_role.html.markdown @@ -46,6 +46,7 @@ The following arguments are supported: * `path` - (Optional) The path to the role. See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) for more information. +* `description` - (Optional) The description of the role. ## Attributes Reference @@ -55,6 +56,7 @@ The following attributes are exported: * `create_date` - The creation date of the IAM role. * `unique_id` - The stable and unique string identifying the role. * `name` - The name of the role. +* `description` - The description of the role. ## Example of Using Data Source for Assume Role Policy